Navigating Institutional Complexity: The Production of Risk Culture in the Financial Sector

Following the financial crisis, financial sector organizations faced increased pressures to reform their &#8216;risk cultures&#8217;. In this paper, we argue that the emergence of regulatory and managerial attention to risk culture is symptomatic of pressures to redefine the fundamental ends of financial institutions and to rebalance the pre&#8208;crisis emphasis on a logic of opportunity and risk&#8208;taking with a logic of precaution and risk control. Based on the analysis of normative practitioner texts and on extended contact with regulators, advisers and corporate actors in the UK financial sector over four years, we show how this initial complexity of ends is translated into uncertainty and conflict about the means through which risk culture might become an object amenable to intervention. On this basis, we contribute to the growing literature on &#8216;institutional complexity&#8217; by showing how organizational actors address conflicting pressures about both ends and means, and by discussing some key implications of their simplification strategies. Our analysis also contributes to recent studies of &#8216;means&#8208;ends decoupling&#8217;, showing how means, ends and the object of intervention itself &#8211; risk culture &#8211; co&#8208;evolve as they are reconstructed by organizational actors via their everyday practices.


INTRODUCTION
Reaction to the financial crisis of 2009 has focused to a large extent on the need to improve the 'risk culture' of banks and other financial organizations (e.g., CRO Forum, 2015;FSB, 2014FSB, , 2013IIA, 2014;IIF, 2009;IRM, 2012). This policy emphasis on risk culture reflects a post-crisis aspiration to rebalance two logics of risk-taking which exist in tension with one another. One, which might be called a 'logic of opportunity', is revealed in the history of innovation, risk-taking, business adventures and entrepreneurialism (e.g., O'Malley, 2004). The other -a 'logic of precaution' -emphasizes control, safety and risk avoidance and has a distinctive history within risk regulation and public safety (e.g., Hutter, 2010). The relationship between these two logics reflects a duality (opportunity vs. harm avoidance), which is inherent in the concept of risk itself (see Power, 2014).
Seen in these terms the financial crisis and the emergence of risk culture represent a prima facie case of 'institutional complexity', whereby an event rearticulates social expectations about the fundamental ends of financial institutions and exerts normative power in reorienting organizational practices (Greenwood et al., 2011;Thornton et al., 2012). A growing body of actor-level accounts of responses to institutional complexity (e.g., McPherson and Sauder, 2013;Smets and Jarzabkowski, 2013;Smets et al., 2015;Smets et al., 2012;Voronov et al., 2013) would suggest that the logics of opportunity and precaution, and the complexity deriving from their incompatible prescriptions about organizational ends, become woven into the work of the actors who seek to improve their organizations' risk cultures.
As part of a longitudinal study of risk culture in financial organizations operating in the UK, we had the opportunity to explore what organizational actors do when they confront such an emergent complexity of ends. Our initial analysis of data collected through a review of normative guidance documents written for practitioners and extended contact with regulators, advisers and corporate actors suggested that the complexity of ends was also amplified by a tension between apparently incompatible ways to define the means of intervention. In short, organizational actors seemed to navigate a constellation of means-ends logics rather than responding directly to the shifting binary logics of ends.
In the analysis which follows, we explore and explain how organizational actors navigate complexity at the level of both ends and means and how they perceive and construct their repertoire of responses. Our hunch is that, by exploring the dynamics of such a means-ends constellation of logics, we can extend the literature on organizational responses to institutional complexity in combination with recent studies that postulate an increasingly opaque relationship between means and organizational ends (see Bromley and Powell, 2012;Dick, 2015;Wijen, 2014).
To probe our hunch, we develop and appeal to the notion of workstream to emphasize that our unit of analysis is a dynamic and most likely unstable flow of organizational activities that respond to, and mediate, means-ends complexity. Drawing on an exemplar workstream within our broad set of data, we analyse in detail the means through which organizational actors respond to the complexity of ends and how means change over time in relation to those ends. As part of our analysis, we inductively derive two logics of means -labelled 'engineered' and 'organic' -that capture distinctive patterns underlying the selection of managerial practices, the theorization of risk culture and the mobilization of organizational actors towards it. Subsequently, with the support of prior literature as well as insights from our broader set of data, we develop a process model which shows how logics of means and ends dynamically co-evolve as they are reconstructed by organizational actors via their everyday practices.
The findings presented in this paper make two contributions. First, we extend work on responses to institutional complexity (e.g., Greenwood et al., 2011;McPherson and Sauder, 2013;Pache and Santos, 2010;Smets and Jarzabkowski, 2013;Smets et al., 2015;Smets et al., 2012;Voronov et al., 2013), showing how pressures about both ends and means are a key feature of the institutional complexity that organizational actors must navigate. In developing our process model, we show how societal demands to correct a risk culture skewed towards a logic of opportunity are translated into uncertainty and conflict about the means through which risk culture is made into an object that can be reformed. We also explain how organizational actors tend to gravitate towards a specific logic of means (engineered) that helps to de-complexify the complexity of both ends and means and restore a logic of opportunity. Finally, drawing in part on Friedland's (2012) recent critical engagement with the institutional logics perspective, we show how multiple logics are embodied in workstreams which are both oriented to, and productive of, risk culture as a new object amenable to managerial intervention.
Second, our longitudinal analysis of risk culture workstreams shows the co-formation and continuous realignment of ends and means prescribed via multiple and conflicting logics, rather than the decoupling postulated by Bromley and Powell (2012) and subsequently analysed by other scholars (Dick, 2015;Wijen, 2014). In our setting organizational actors struggle to stabilize both a balance between ends (opportunity vs. precaution), which exist in an inherent tension, and also a balance of incompatible means (engineered vs. organic). These two pairs of logics have a mutual influence on each other. For example, the repositioning of risk culture workstreams within an engineered logic, which was clearly predominant towards the end of our study, was made possible both by a reframing of organizational ends to emphasize opportunity and risktaking, and also by the parallel difficulty of making an organic approach visible and actionable. In short, the co-productive relation between means and ends in the field of risk culture is such that conflict and pressures about means have implications for ends and vice versa.
The paper is organized as follows. The next section suggests how the emergence of regulatory and managerial attention to risk culture is indicative of a distinctive kind of institutional complexity. The third section elaborates on our theoretical reference points -responses to institutional complexity and means-ends decoupling -which are combined in the analysis of risk culture. The fourth section describes our research approach, methodology and data sources. The fifth section provides the detailed analysis of an exemplar case and its risk culture workstream. The sixth section develops a model of risk culture dynamics, iterating between the details of the specific case, previous literature and insights from our broader set of data. The final section discusses the research implications and some limitations of our study.

INSTITUTIONAL COMPLEXITY AND RISK CULTURE
Our starting point is that, as put by Munir (2011, p. 115), 'the story of the crisis has within it a rich tale of shifting logics'. Organizational actors face the 'institutional complexity' (Greenwood et al., 2011) of incompatible prescriptions about the fundamental ends, organizing principles and mechanisms of control in financial institutions.
Several examples suggest a shift from a logic of opportunity praising innovative risktaking in a period of economic growth to a logic of precaution condemning excessive risktaking in a period of crisis. For example, the former Federal Reserve chairman admitted he had been 'partially wrong' in his hands-off approach towards the banking industry (Clark and Treanor, 2008). Financial innovation, once regarded positively, came to be seen as problematic (Tett, 2009). Bold pre-crisis statements, such as the infamous remark by Citigroup's CEO -'as long as the music is playing, you've got to get up and dance' -were used as reminders of how the reckless pursuit of profit can destabilize an entire society (Munir, 2011).
In this changed post-crisis context, from 2009 onwards companies, advisers and regulators began to talk of 'risk culture' as part of their diagnostic vocabulary (e.g., CRO Forum, 2015;Deloitte, 2015;EY, 2014EY, , 2015FSB, 2014FSB, , 2013IIA, 2014;IIF, 2009;IRM, 2012). Reflecting an apparent climate of moral panic about banking and bankers, risk culture emerged as a dominant frame for the problem of balancing risk control and risk-taking. Defective risk culture had the characteristics of a social problem (Hilgartner and Bosk, 1988) requiring managerial and regulatory intervention. 'Bad' risk culture could also be seen as a kind of policy 'risk object' (Hilgartner, 1992) in which 'excessive' and 'reckless' risk-taking had damaged whole societies. As put by the Institute of International Finance [1] (IIF) in 2009: 'Many discussions of the crisis have explored how firms' varying risk cultures have strongly affected their response to the building up of risk before the onset of market turmoil, or to the strains of coping with the crisis, or both'. (IIF, 2009, Appendix III, p. 1) Whereas the 'building up of risk' mentioned here might have been seen as an opportunity before the crisis, it was subsequently reframed as danger and harm, partly reflecting the inherent complexity of the term 'risk' itself (Power, 2014). From this high level point of view, the 'excessive risk-taking' (House of Commons Treasury Committee, 2009) that caused the financial crisis arose from a risk culture skewed towards the logic opportunity and was urgently in need of correction.
Post-crisis commentaries and regulatory documents also provide conflicting prescriptions about the means through which risk culture can be acted upon in specific organizational settings. On the one hand, the theme of culture attracts non-reductive and interactive understandings of behavior and ethics as drivers of risk (see Willman, 2014, Ch. 9). As put by a senior regulator, regulators should be able to 'draw conclusions about culture from what we observe about a firm -in other words, joining the dots rather than assessing culture directly' (Adamson, 2013). This approach suggests that risk culture is revealed through sense-making across disparate activities such as: how a firm deals with regulatory issues; customer experience at the point of sale; considerations around product approval processes; information escalation processes; remuneration structures and incentives.
On the other hand, there are also pressures to adopt less idiosyncratic and more standardized and auditable management processes (Meyer, 2002;Power, 1997). As put in a consultation document of the Financial Stability Board [2] (FSB) in 2013: 'Supervisors should also seek supporting evidence regarding how a firm systematically assesses risk culture including the processes used (e.g. employee surveys, independent reviews, internal reporting) and action plans to address findings on matters that may come to their attention'. (FSB, 2013, p. 4, emphasis added) To summarise, our preliminary review of practitioner articles and regulatory documents suggests that the emergence of risk culture is characterized by a distinctive form of institutional complexity in which organizational actors must navigate both the complexity of shifting ends (opportunity-precaution logics) and the complexity of the means through which these ends can be operationalized. For this reason, as we explain below, our analysis of risk culture combines insights from work on organizational responses to institutional complexity with studies that shed light on the potentially problematic relationship between organizational ends and means.

POSITIONING THE STUDY OF RISK CULTURE
In their review of decoupling research and theory, Bromley and Powell (2012) argue that modern organizations are more likely to experience gaps between practices and organizational goals (means-ends decoupling) rather than symbolic compliance and gaps between policies and practices (policy-practice decoupling). In other words, apparently neutral managerial techniques and processes -like accounting (see Miller and Power, 2013) -have an organizational and institutional life of their own which may frustrate organizational ends, even where organizational actors aspire to realize policy goals.
Recent studies shed further light on the conditions under which means-ends decoupling happens and persists over time. For example, in the context of socioenvironmental standards, Wijen (2014) argues that attempts to solve problems of symbolic compliance (policy-practice decoupling) in opaque fields tend to increase means-ends decoupling. This is because 'compliance-inducement' actions, such as the creation of standard rules and practices, are likely to be partial and at odds with local variety. And in a study of part time working in the police force, Dick (2015) argues that means-ends decoupling persists because actors pragmatically balance problems related to a practice (e.g., part time working increases efficiency problems) with the benefits of its latent function (e.g., preventing law suits).
The case of risk culture can be intuitively related to the literature on means-ends decoupling. As shown in the previous section, there are pressures for the production of demonstrable evidence about the efficacy of reforms, and yet the very object of reformrisk culture -is itself highly ambiguous. To date, however, relatively little is known about the precise dynamics of means-ends decoupling in specific organizational settings (the study by Dick, 2015, constitutes an exception). Indeed, as Haack and Schoeneborn (2015) suggest, further work is needed to explain the ideational dynamics involved in the construction of both means and ends as objects of attention and orientation. Furthermore, there is a risk that work on means-ends decoupling can import an implicitly functionalist view that a 'deviation' of means from the functional realization of ends reflects the 'bad' implementation of clearly-defined policies.
In our view, combining work on organizational responses to institutional complexity with that of means-ends decoupling helps to avoid this normative trap and supports a focus on how both ends and means are ambiguous, collective, inherently contested and, crucially, subject to conflicting institutional demands (Pache and Santos, 2010). Specifically, recent actor-level accounts of responses to institutional complexity (e.g., McPherson and Sauder, 2013;Smets and Jarzabkowski, 2013;Smets et al., 2015;Smets et al., 2012;Voronov et al., 2013) provide rich insights into the way in which multiple institutional logics are represented and selectively enacted in specific organizational settings and work situations.
A common theme is that organizational actors can pragmatically use and draw upon different logics, or part of their underlying practices, in response to experienced institutional complexity. For example, it has been shown that state attorneys, clinicians and public defenders flexibly use different logics to justify criminal sentences as they muddle through specific drug court cases (McPherson and Sauder, 2013). Similarly lawyers from a global law firm search for new ways of carrying out their tasks and foreground and prioritize specific referent audiences (Smets and Jarzabkowski, 2013;Smets et al., 2012). Representatives of the wine industry also selectively enact different scripts that contribute to materialize either an aesthetic or market logic (Voronov et al., 2013). And insurers proactively segment or recombine different logics depending on the specific work situation, including the type of location and audience (Smets et al., 2015).
A practical implication of these studies is to show that the use and recombination of existing logics, and their underlying practices, is both normal and consequential. For example, McPherson and Sauder (2013) argue that specific uses of institutional logics have important effects on court decisions. Smets and colleagues (2012) suggest that organizational actors foreground and give voice to particular audiences, while they silence others. In so doing, these actors engage in what can be called 'simplification processes' (Kostova et al., 2008(Kostova et al., , p. 1002, something which is also evident in our study of risk culture. This body of work on institutional complexity encourages the exploration of how social interactions within organizations shape understandings of institutional complexity and how organizational actors respond to conflicting prescriptions. Thornton and colleagues (2012, Ch. 6) suggest that important aspects of such intra-organizational dynamics relate to the 'problematization' of existing practices as well as the 'theorization' of new forms of collective mobilization and intervention via the specification of abstract categories and patterned cause-effect relations (see also Strang and Meyer, 1993). As we see in the case of risk culture, such theorization efforts also apply to the collective object of intervention itself -risk culture. Indeed, drawing in part on Friedland's (2012) recent critical engagement with the institutional logics perspective, we focus attention on how specific theorizations of risk culture as an object are at stake in, and entangled with, different logics.
Overall, the combination of the literature on means-ends decoupling and work on organizational responses to institutional complexity provides the theoretical positioning for our study of the dynamics of risk culture. The concept of means-ends decoupling sensitizes the analysis to the potentially problematic relationship between the means of intervention and intended organizational ends. The work on institutional complexity supports our focus on the intra-organizational level and how organizational actors respond to conflicting prescriptions. As an outcome of this combination of literatures, we examine not only the means through which organizational actors respond to the institutional complexity of different ends, but also how these means change over time in relation to ends and, as we shall see, shape them.
This conceptual background requires the adoption of a longitudinal perspective to the study of risk culture production in specific organizational sites. To underwrite the processual nature of the study of risk culture, we posit the idea of the workstream as a provisional theoretical construct. Workstreams are site-based, actor-rich units of analysis within which responses to institutional complexity are visible and which change over time in the way they draw on different logics of ends and means. In line with a meansends decoupling perspective, we expect to find a range of activities oriented to risk culture which may or may not become 'practice', namely 'constellations of socially meaningful activity that are relatively coherent and established' (Thornton et al., 2012, p. 128). As we shall see, risk culture workstreams seek to stabilize the construction of risk culture through its practical operationalization, yet this flow of work is dynamic and unstable as it responds to the complexity of both means and ends.

RESEARCH APPROACH
This section describes our methodology, data sources, data analysis and presentation. We approached the analysis of risk culture from the broad standpoint of interpretative studies of accounting and management practices. These studies traditionally emphasize 'thick' analysis of how research subjects develop their own understandings and meanings in relation to a unique phenomenon (Ahrens and Chapman, 2006). Our analysis was also loosely informed by elements of critical realism (Danermark et al., 2002;Reed, 2005) in order to go beyond the observed experiences of field actors and to address the underlying dynamics that might explain patterns in the organizational trajectory of risk culture workstreams.

Data Sources
The empirical material that informs this paper stems from a 4-year (April 2012 -December 2015) research project based on three core data collection methods. First, we searched the websites of consulting firms, professional associations and ratings agencies, and reviewed documents containing references to the term 'risk culture' in the financial sector. In addition, regulatory reports published since the onset of the financial crisis were reviewed. These documents can be seen as 'normative practitioner texts': they are written for practitioners and reflect normative guidance on what 'good' risk culture should look like. On this basis, the analysis of these documents helped to gain a sense of the discourse of risk culture, its links with the definition of problems of 'excessive' risktaking and the presentation of possible reform strategies.
Second, we were able to gain research access to the senior risk managers of five banks and four insurance companies, who permitted semi-structured interviews with senior risk personnel and other members of staff. In three organizations, we were able to facilitate group discussions based on the use of a short survey instrument. We also conducted semi-structured interviews with regulators, members of professional associations and members of advisory firms. In one of these, we participated on several occasions in their product development discussions. As shown in Table I, we also conducted ad hoc interviews and meetings with individuals in senior Risk Function roles and with other actors such as freelance consultants, although these interviews generally did not lead to further interactions and case analysis. In total, we met 65 individuals, in addition to the group discussion processes. When we could not record the meetings, detailed field notes were taken by each researcher and then collectively discussed soon after data collection.
Third, as a strategy of field immersion, we participated individually and collectively in several events, which were organized by banks and insurers, consulting firms and professional bodies with the specific aim of discussing the concept and implications of risk culture. These sessions normally involved senior and middle managers in a range of positions, including Chief Executive Officers (CEOs), Chief Risk Officers (CROs), Heads of Business Units, Internal Auditors and Compliance Officers, as well as consultants, regulators and representatives of accounting, auditing and risk management Face-to-face interviews with 4 policy advisers Professional associations Meetings with members of internal audit association, ISO (risk management committee), insurance association (2 members), accounting association (2 members), risk management associations (3 members) 3 public events 3 internal workshops Other interviews and meetings Face-to-face interviews and meetings with senior risk managers (insurers and banks) and other actors (e.g. freelance consultants, HR specialists) professional bodies. Detailed notes were taken while attending those sessions, allowing us to capture extracts of conversations between participants.

Research Background and Selection of an Exemplar Site
Our methodological orientation produced disparate sets of data. In our initial analysis of the research project's data, we aimed to document the variety of workstreams and actors involved in the operationalization of risk culture at the organizational level and to understand systematic patterns, not least in terms of the organizational authority of the Risk Function, and how it theorized the trade-off between opportunity and precaution in constructing risk culture. However, this initial data analysis produced more puzzles than answers, in large part because the nature of risk culture workstreams was changing over time. For example, our preliminary analysis of risk culture workstreams in 2012 revealed that actors were both warmly disposed towards a more interactive managerial approach to culture and influence over behaviour, and also openly critical of more formal diagnostic methods. Interviewees seemed to be mindful of policy prescriptions to create, for example, an open environment for 'thoughtful debate' (Sants, 2012) rather than reducing risk culture to a matter of financial incentives.
Yet, while these organizational actors were reluctant to endorse purely procedural approaches to risk culture, they also recognized the need to demonstrate, to boards as much as to regulators, that 'something was being done'. In other words, there had to be some form of documentary evidence, almost regardless of its content and causal efficacy in terms of cultural change (Bromley and Powell, 2012). Towards the end of our study, we observed the steady proliferation of more formal diagnostic tools, such as surveys. In some cases it seemed as if the ability to run a credible survey was in itself an indicator of the organizational authority of the Risk Function, regardless of the information that such tools could provide. The results from risk culture surveys were often the basis for metrics of 'good' or 'bad' risk culture that contributed to performance reviews. This initially observed tension and dynamic within risk culture workstreams could not be explained solely in terms of the institutional complexity of ends, i.e., the complexity created by the logics of opportunity and precaution. Rather, it had more to do with a complexity of means or management processes. Not only did reflection on this puzzle require us to combine insights from work on means-ends decoupling and institutional complexity as described in the previous section, but we also decided to analyse in more depth the data collected from a specific case -an international insurance company anonymized as Alpha. Our aim was to document in a more granular way whether and how the means of intervention could be associated with distinctive logics of action, and how such logics could be related to the logics of opportunity and precaution.
Alpha is an exemplar research site within our study for three reasons. First, in common with the other organizations to which we obtained research access, it has 'systemic' importance for the UK financial regulator. Second, our prolonged engagement with key actors in Alpha meant that we could in principle access the longitudinal dynamics of risk culture workstreams. Third, within Alpha, responsibility for risk culture was allocated to a risk manager who was also externally recognized as an influential 'carrier' (Sahlin-Andersson and Engwall, 2002) of risk culture ideas and practices, often speaking at public events and seminars. For this reason, we expected that Alpha would be a setting in which the workstream on risk culture would have both internal prominence and external visibility.
Our analysis of Alpha's risk culture workstream is based on multiple sources of data. We met three times (plus informal meetings at public events) the person who eventually became responsible for the risk culture workstream in the second half of 2012. Given the pivotal role in our analysis, we specifically indicate this person as the 'Risk Manager' in the case narrative that follows. One of the meetings with the Risk Manager was also attended by a person -with a background in consulting, corporate and financial services -with whom the Risk Manager worked closely to elaborate ideas and practices about risk culture. In addition, we met five other managers, who all had significant work experience in Alpha in various roles. When the interviews were carried out, two were senior managers in the Risk Function, two were working in Human Resources (HR) and one in the area of regulatory compliance. All the meetings were recorded and subsequently fully transcribed.
Other sources of data included attendance at events where Alpha's managers presented their approach to risk culture, a review of internal documents (e.g., presentations with phases and expected outcomes of risk culture work), observation of risk culturerelated posters in the office corridors, and analysis of publicly available documents, such as annual reports and corporate governance documents. Finally, managers from Alpha's Risk Function attended the presentation of the interim and final results of our broad research project. We obtained feedback on the research project report and on a document containing a selection of indicative quotations that have been used to develop the case study.

Data Analysis
We analysed the data collected from Alpha in three sequential steps. Initially, we found evidence of what can be seen as the 'problematization' of work arrangements related to the Risk Function and risk management processes. Early discussions reflected concerns with the status of the Risk Function and criticisms of formal risk management. But this problematization of existing practices and aspirations for change included conflicting views on how to balance the need for more visible risk management roles and processes, with the ambition to maintain a 'performance-orientated' culture. Because of these tensions, from the outset we regarded Alpha as a prima facie relevant site for the investigation of organizational responses to institutional complexity.
In the second phase of our analysis, we adopted an inductive approach to the derivation and analysis of logics (Reay and Jones, 2016), trying to induce key patterns underlying the selection of practices, the theorization of risk culture and the mobilization of organizational actors towards it. In line with previous studies based on the analysis of qualitative data (see Gioia et al., 2013), our coding strategy initially produced a broad list of first-order themes, which reflected the various ways in which organizational actors framed their activities on risk culture. We subsequently reduced these first-order themes to a set of second-order themes by clustering them both in relation to their focus (e.g., work practices vs. theorization efforts) and also in relation to their prevalence over the period covered in our study. For example, in 2013, the workstream could be characterised predominantly by an emphasis on 'interactive' practices such as networking and conversation enablers. Subsequently, it could be characterised by an emphasis on 'diagnostic' practices, such as measures linked to incentives. Finally, we distilled these second order themes even further into two aggregate dimensions, which we designate as organic and engineered logics of means. These two inductively derived logics underpin our theorization of the institutional complexity which is at stake in Alpha's workstream. Figure 1 provides an overview of this three stage data structure.
The third step in our analysis of Alpha's data focused on how key organizational actors experienced the conflicting views about the ends of the risk culture workstream and, by implication, the complexity of different means of risk culture production. We capture perceptions of complexity based on actor references to such things as: internal pushback, limited resources to accomplish tasks, unclear targets and uncertainty about the selection of appropriate courses of action. In so doing, we were able to partly ground the derivation of the two logics in Figure 1 in changes in perceived complexity.
The analysis of Alpha's workstream over time provided the basis for developing a model of risk culture dynamics. In building this model, our mode of analysis shifted from inductive to abductive reasoning as we iterated between the specific findings from the Alpha case and prior work on responses to institutional complexity and means-ends decoupling. In so doing, we highlight similarities with, and points of contrast to, previous studies of responses to institutional complexity. However, most importantly, we outline the dynamics that support our key claim that, in the case of risk culture, means and ends seem to be co-produced via conflicting logics of actions, rather than decoupled (Bromley and Powell, 2012). In addition, to corroborate elements of the model of risk culture dynamics derived inductively from the Alpha case, we also returned to the broader data set of our project on risk culture. In this way, we were able to confirm, albeit tentatively, more general features of the navigation of institutional complexity via risk culture workstreams. Thereby, we also reinforced the status of Alpha as an exemplar of field-level dynamics in the production of risk culture.
In summary, our data presentation strategy reflects a combination of the inductive analysis of a specific site to develop a model of risk culture dynamics which is then abductively corroborated by insights deriving from prior literature as well as from the other settings to which we had access. To organize our data presentation below, we borrow from Nicolini (2009) the idea of 'zooming in' and 'zooming out'. First, we zoom in to the risk culture field to explore the level of operationalization and its underlying logics in Alpha. Second, in line with a critical realist perspective (Danermark et al., 2002;Reed, 2005), we zoom out to reflect on patterns and mechanisms that cannot strictly be observed but are theorized as producing the observed level of experience and work by organizational actors.

ZOOMING IN: PRODUCING RISK CULTURE AS CORPORATE CHANGE
Alpha's organizational initiatives on risk culture were triggered by perceived failures in the Risk Function and problems for its status. The Risk Function 'was not seen to be held in high regard and certainly didn't have much influence in the organization' (senior risk manager). A challenging report from Internal Audit highlighted deficiencies in the contribution of the Risk Function. As put bluntly by a senior risk manager: 'we as an organization recognized [that] we needed to invest more heavily in risk management'.
In such a context, the initial interactions with Alpha's managers suggested uncertainty and conflicting views about what a risk culture workstream should achieve. There was open criticism of the past orientation towards procedures and compliance in risk management. Even the manager responsible for regulatory compliance argued that 'if you go back a number of years, you'll find there was a heavy compliance component so you had lots of status on how people progress by implementing frameworks or assessment against each type of risk, and how well it's been complied with'. This predominant focus on framework compliance meant that risk had very little relevance to decision makers. In fact, the same interviewee argued that managers in some parts of the organization 'were quite happy to do risk management if somebody came and held their hand, there was less willingness to do it on their own'.
In response to this criticism of compliance oriented risk management, risk managers aspired to something that was 'embedded' in daily decision-making, providing the basis for 'risk conversations'. This necessitated finding a 'clever way' to get information reported without putting too much of a burden on the business and to establish trust in the Risk Function. It also meant that the language and goals of risk management had to get closer to the needs of front-line staff. For example, according to one senior risk manager, it was necessary that 'as much thought is given to opportunity in the upside of risk as is currently given to downside compliance'. Accordingly, at the outset we were aware of tensions in these change aspirations for the Risk Function -tensions which mirrored the societal-level problem of the balance between risk control and risk-taking in financial institutions discussed at the beginning of this paper.
This tension was evident in senior managers' attitudes towards risk reporting and their trust in the Risk Function. One interviewee stressed the need to make individuals able and willing 'to report risks openly and honestly without getting [their] head bitten off from the second that's done' (compliance manager). Yet another interviewee warned about a potential trade-off between open and honest reporting and the pressures for opportunity-seeking behaviour within a performance-orientated culture: 'One of the things that we're cautious about [is that as] you introduce a more performance-orientated culture and more accountability then obviously you may negatively impact the willingness of people to talk about mistakes'. (Senior risk manager) More generally, despite the financial crisis, there were still concerns about losing sight of risk and risk control. One interviewee commented that it was important 'that risk doesn't lose some prominence as a result of being intermingled with customers and people and other things' (HR manager). People may become 'overexcited' and do deals that lead to 'a bizarre incident' (HR manager). The relation between risk control and a performance culture seemed to be inherently unstable. As put by one interviewee, 'when the decay happens, you don't spot it and then the pendulum will start to swing the other way' (compliance manager). An internal presentation warned that pressures to meet sales targets 'may cause risk factors to be ignored'.
As we show below, within Alpha, this complexity of ends effectively became displaced and translated into a different kind of complexity, namely that of the means through which the change ambitions could be made operable, giving rise to considerable uncertainty and to pragmatic experimentation.

New Standards, Policies, and Communication and Training Programmes
At the time of our first visit, in 2012, managers from Risk, Compliance and Human Resources supported a series of changes to make risk more prominent in organizational conversations. One junior person was made responsible for acquiring 'input from two or three external private companies' (HR manager) and put together material to support different lines of action for discussion by members of a cross-functional team.
The changes that followed were partly structural and informational, including the creation of a database to record the risk information resulting both from whistleblowing and also from more routinized risk and loss event reporting. 'Risk policies' and 'business standards' were also developed in order to clarify the behaviours which should be encouraged or avoided. These new policies were supported and animated by the use of concrete examples, ranging from pre-employment screening to new product development.
Another set of changes concerned 'communication and training' which included different elements: compulsory training in new regulatory requirements for all directors to 'help people understand how we make money and make better business decisions ' (HR manager); a new section of the intranet, which 'attracted the most hits of any portion of our internal site' (HR manager); and the creation of a fictional character for a webbased game to exemplify issues about risk-taking and control decisions.
These new risk policies and communication programmes constituted visible and topdown supported activities, and even received external recognition in the form of an award for the best communication programme. However, while interest in risk culture within Alpha and other organizations was beginning to take off, the lack of a consistent industry perspective on this intangible object was acknowledged as a problem. Within Alpha, risk managers recognized pushback from certain business areas unaccustomed to dealing with the 'softer elements' of behaviour in organizations, such as the actuarial and finance functions. The risk section on the intranet and the use of a fictional character as a conversation enabler received mixed responses: 'some people loved it as a simple explanation, some people thought it was a bit puerile' (HR manager).
Overall, members of the cross-functional team came to recognize organizational fatigue with, as well as a lack of direction in the orientation of, the wide range of new policies and change programmes which had been more or less loosely connected to a vague object -risk culture. In line with Bromley and Powell's notion of means-ends decoupling, an internal presentation asked whether the new policies and structures were 'effectively achieving the intended outcome'.

Joining the Dots
In the second half of 2012, responsibility for risk culture was allocated to a single individual (hereafter: Risk Manager). This person had extensive experience in various riskrelated roles, but also experience in a large consulting company which had been one of the first to provide risk culture services. The Risk Manager also contributed significantly to the guidance on risk culture published by a professional association of risk managers (hereafter: Risk Institute).
Faced with a wealth of new policies, procedures and communication programmes but also with a perceived lack of understanding of what they meant from a risk culture perspective, the Risk Manager focused on 'fine-tuning' existing instruments and 'pragmatically' connecting processes, people and tools that may be relevant to offset 'vulnerabilities' in risk culture. This way of pragmatically reaching out for anything that may be relevant for risk culture was sustained by personal experience. For example, the Risk Manager believed that Alpha lacked the conditions for the successful implementation of a large-scale risk culture survey based on previous experience with a similar initiative in a different insurer.
At this time, the Risk Manager found the term 'organic' a useful label to capture two specific dimensions of the work being done. The first was the way in which risk culture was 'theorized' as an object of managerial intervention. Risk culture in Alpha was not one thing, but many things that could (and should) be connected to each other. Theorizing risk culture in this way was therefore necessarily expansive. As put by the Risk Manager, it implied a commitment to capture and work with organizational complexity by 'linking the dots' and developing 'a sense of how everything is connected' rather than reducing risk culture to a one-dimensional definition.
Second, this way of theorizing risk culture was intertwined with a recognition of the value of practices that support organizational interaction. For example, internal networking became an important component of risk culture work, not least to 'influence and organize a number of people who are interested in the topic' (Risk Manager). There were also frequent references to existing processes that would enable risk conversations. In fact, one interviewee referred to previous experience in the business end of the organization to suggest that even the existing formal risk framework could form the basis for a meaningful conversation: 'I actually spent a huge amount of time with someone from the second line [Risk Function] who was basically explaining to me how I should manage my own risks. And things like loss events, near misses, breaches, all made 100 per cent sense to me when it was explained that this was the model that we had to work to'. (HR manager) However, this organic logic and its underlying efforts to operationalize risk culture gave rise to another source of complexity for the Risk Manager. First, the lack of new processes or instruments raised concerns elsewhere in Alpha that nothing visible and concrete was being done on risk culture. Second, the informal networking and 'joining the dots' work described above was not formalized into a full time role. Risk culture-related efforts were enacted in addition to a number of other activities that took most of the Risk Manager's internal working time. Not surprisingly in the light of these problem areas, the statements made by the Risk Manager in early 2013 were cautious, as shown by expressions such as: it is 'broadly an ambition for me'; 'I don't have still the full support'; 'it's quite difficult to get traction'.

Diagnostic Tools and Modelling
In the second half of 2013, the presence of an HR specialist and a senior risk manager during one of our meetings with the Risk Manager was a tangible sign of the emergence of an internal network of people interested in the work of the Risk Manager. Our conversations with this group suggested that the Risk Manager's pragmatic search for risk culture-relevant levers had achieved organizational traction in a specific way -namely via the use of a diagnostic tool adopted as part of a large-scale employee engagement survey led by HR. When describing the tool, one interviewee displayed confidence in the specific contribution of the Risk Manager: 'One of the pieces of work that [name of the Risk Manager] has supported this year is that we, through our engagement survey, will be able to see some key indices which actually together we've aggregated into an index around risk'. (HR manager) The 'organic' internal networking efforts of the Risk Manager contributed to position risk culture issues as part of the engagement survey process at Alpha. Moreover, the specific risk culture content of the survey was based on the Risk Manager's personal experience in the development of the Risk Institute's guidance on risk culture. The Risk Manager was able to identify a set of basic questions that could be added to the questionnaire, as well as to suggest dimensions such as 'accountability' and 'tone from the top' that could be investigated with survey's data.
From the use of the survey emerged a view of risk culture as something which could be analytically defined, identified and aligned with external guidelines and regulatory consultation documents. While there were references to an Alpha-specific model of risk culture (hereafter Alpha's Model), there was also a growing interest in comparability and regulatory norms. For example, the Risk Manager emphasized the need to identify 'the traits or fundamental traits from the risk culture perspective' and relate those to regulators' expectations: 'So if integrity is important to customers, which is an important thing given the environment that we are in [given] FCA [3] expectations . . . so if customers is a key element of our culture we just need to probably articulate that more explicitly'.

(Risk Manager)
This way of articulating risk culture was part of a discourse that was increasingly legitimate internally and also more confident about what ought to be done about risk culture. The diagnostic survey, combined with the work of the Risk Manager and attempts to 'model' risk culture, contributed to 'good insight on where we are' (Risk Manager) and 'a sense of our baseline around culture' (HR manager).

Measures, Incentives and Realizing Performance Potential
'I think since we met you see much more push, external push, which means that internally it helps as well' said the Risk Manager in early 2015. Targeting risk culture appeared easier given more defined expectations about what constitutes compelling evidence of risk culture work. As shown in the following quote, early theorization efforts and experimentation can now be tested against regulatory expectations, as well as against guidance documents for risk managers: 'I mean regulators are much more interested, so you have seen since we met a paper from the FSB on risk culture and success factors around risk culture. So, you have more guidelines and guidance and expectations around what they like to see. You see, I have seen [many] more tangible ways to articulate what they like to see from consultants [including] some measurements and things like that'. (Risk Manager) At one meeting, the Risk Manager invited an external person -at the time CRO for another insurer -as the two of them 'have worked very closely on the risk culture topic'. [4] During the meeting, it was clear how the two had discussed ways in which their internal models and diagnostic tools were aligned with each other, and with normative practitioner texts such as the guidance documents on risk culture published by the Risk Institute and the FSB.
In Alpha we see that the early tentative informal network building approach was increasingly displaced by the selective mobilization of external references, and by senior executives driving risk culture considerations into the assessment of how decisions were taken. As put by the Risk Manager, 'now we are actually more top-down: the CEO and HR are really more trying to drive it'. The risk culture space in the annual engagement survey was consolidated into a set of questions that expressed Alpha's Model. Members of the Risk Function, including the Risk Manager, used the survey results, as well as other qualitative elements, to evaluate key business decisions taken during the year. The aim was to assess the achievement of a 'risk and control objective' set for each business unit.
In this later period of our fieldwork, the discourse of the Risk Manager and colleagues suggested a normative orientation towards defining targets for the 'right' behaviour and 'strong' risk culture. The previous 'joining the dots' efforts had given way to a more engineered approach, i.e., risk culture was conceptualized as a target for management and a latent variable to be measured (see Willman, 2014, Ch. 9). Survey results supported the development of a 'risk index' (Risk Manager), which was related to in-depth assessments of key business decisions. The index gained organizational traction thanks to the development of links between risk culture data and incentives schemes, with real effects on bonuses and career prospects. As put by a senior risk manager, 'if we observe significantly negative risk management behaviours, that can knock out the bonus entirely'. The Risk Manager gave the example of a senior manager who had to leave because of 'weak risk culture and weak control environment'. According to the Risk Manager, it was not only a matter of poor business outcomes, but 'one of the elements was that tone from the top wasn't really the right thing' (emphasis added).
As Alpha's risk culture workstream unfolded over the period 2012-15, the production of risk culture shifted from the challenges and uncertainty of a 'pragmatic' joining the dots approach to a more 'selective' focus in which risk culture was increasingly identified in terms of variables that can be measured, targeted, and compared across business units, organizations and time. We found evidence of 'simplification processes' (Kostova et al., 2008(Kostova et al., , p. 1002) whose reference points are FSB's documents and other guidelines, and internal targets. The Risk Function was now selectively mobilizing 'something that's going to hit pretty much everyone and so you're focused on some key questions' (senior risk manager) rather than searching for new ways of dealing with risk culture. The risk culture workstream had become more tangible and more 'granular', and the Risk Manager admitted that work on risk culture had now become 'quite powerful'.
As part of this change in the logic underlying the means of interventions on risk culture over time, we also observed a shift in the logics of ends underlying the aims of Alpha and its Risk Function. At the beginning of the period covered in this study, there were cautionary remarks about the dangers of swinging the pendulum too far in the direction of performance. By the end, a different perspective seems to be preeminent. Risk culture had crystallised as a workstream to help assess best practices around risk management across different teams and individuals. In fact, all the diagnostic work around culture was now about how you actually 'unleash potential' and 'drive high performance' (HR manager). The Risk Manager reinforced these emerging connections between performance improvement and risk culture work. Members of the Risk Function now had a licence to assess business units, their cultural traits and their progress towards the achievement of performance targets.

ZOOMING OUT: NAVIGATING INSTITUTIONAL COMPLEXITY
The preceding analysis provides a longitudinal snapshot of a risk culture workstream. While the workstream was initiated in the wake of disappointment with existing (procedural) ways of dealing with risk management, it ended up drawing on narrow conceptions of human agency which emphasize how risk culture can be engineered into diagnostic tools, leading to clearly-identifiable and targetable behavioural change. Moreover, while early work is characterized by cautionary remarks about the dangers of overlooking risks when making new business deals, towards the end of our study of Alpha, we observe a reframing of the role of the Risk Function in line with a 'performance-orientated' culture.
In what follows, we provide a schematic theorization of this outcome by 'zooming out' from our field work (Nicolini, 2009). We argue that the local production of risk culture within our event window at Alpha reveals more systemic features of reactions to institutional complexity. Our inductive theory-building consolidates the insights derived from the case study of Alpha in the light of previous work on institutional complexity and means-ends decoupling. Finally, we corroborate key aspects of the model derived from Alpha, albeit provisionally, with observations of risk culture workstreams in other settings.

A Model of Risk Culture Dynamics
In Figure 2, we sketch a dynamic representation of the themes emerging from the case of Alpha. At the core of the figure, we have the two logics of means (organic vs. engineered), which are derived from and characterize distinctive patterns underlying the selection of managerial practices, the theorization of risk culture and the mobilization of organizational actors towards it. The figure also emphasizes three key dynamics: the shift from complexity of ends to complexity of means and the parallel amplification of complexity; the shift from an organic to an engineered logic of risk culture production; complexity reduction with the consolidation of an engineered logic, and the parallel reframing of organizational ends.
In line with previous studies informed by an institutional logics perspective (Thornton et al., 2012), the case of Alpha suggests, perhaps unsurprisingly, that the onset of risk culture workstreams can be related to the local problematization of existing work routines and to the theorization of new work processes and abstract categories (Strang and Meyer, 1993). Problematization involves more than just criticism of procedural approaches to risk management and the perceived lack of status of the Risk Function. Part of the discussion also revolves around the more general complexity issue of balancing risk control and risk-taking (Power, 2014), reflecting societal level reaction to excessively risky business decisions.
In the light of such debates, organizational actors in Alpha experience conflicting institutional demands around organizational ends (Pache and Santos, 2010), which is typical of situations of institutional complexity (Greenwood et al., 2011). But we find that organizational actors also experience an additional form of complexity in terms of the means through which ambiguously-defined ends can be achieved. Consistent with recent work on means-ends decoupling (Bromley and Powell, 2012;Dick, 2015;Wijen, 2014), we observe in Alpha an explosion of new policies, processes, change programmes but also increased perplexity about their purpose, leading often to internal pushback. Moreover, at this early stage, the risk culture workstream exhibits many of the features of means-ends decoupling (Wijen, 2014): a multitude of heterogeneous actors, the absence of field-level 'best practices', and unease with the unobservability of risk culture.
Our process model takes this apparent means-ends decoupling as its point of departure and sheds light on the ideational dynamics that follow from actor perceptions of complexity about means. As argued above in the data analysis section, our analysis of Alpha supports the inductive delineation of two logics of means, which derive from and characterize distinctive practices and ways to mobilize organizational attention (Thornton et al., 2012, Ch. 6). The two logics of means are also intertwined with the very theorization of the object of intervention itself, namely risk culture. Such theorization work does not precede the workstream it informs, but rather both are co-produced and mutually constitutive (see Friedland, 2012). Figure 2 provides a dynamic view of how the two logics of means are interrelated in order to explain the shift from one to another. We place pragmatic reaching out outside the realm of the organic logic to highlight its role as a 'generative' mechanism. As with other studies of actor-level accounts of responses to institutional complexity (see 'situated improvising' in Smets et al., 2012), pragmatic reaching out is neither purely strategic nor unintentional. Rather, it implies that organizational actors have a provisional understanding of what is possible for a new workstream (e.g., in a cost-constrained environment an ad hoc large-scale survey would not receive enough support), and are also sufficiently open-minded to search for new methods and new internal allies to make progress with risk culture.
Pragmatic reaching out can also be interpreted as a 'sensemaking' mechanism, through which 'social actors turn circumstances into situations that are comprehended explicitly in words and that serve as springboards for action' (Thornton et al., 2012, p. 96). In our model, pragmatic reaching out is a way to mobilize action via interactive practices such as internal networking and the use of conversation enablers. In turn, these interactively-oriented practices contribute to a more expansive theorization of risk culture as an object. On this view, risk culture as an object results from 'joining the dots' between current processes and activities rather than being theorized in a way that separates it from other facets of organizational life. In short, logics of means and the objects to which they are oriented co-emerge (Friedland, 2012).
We also place pragmatic reaching out at the end of the cycle within the organic logic box for two reasons. First, it does not stop but runs in parallel with the use of interactive practices and expansive theorization. Second, pragmatic reaching out also acts as a 'bridging' mechanism (Smets et al., 2015) between different logics of means. We posit that, by pragmatically reaching out, organizational actors such as the Risk Manager in Alpha learn from experience where they can or cannot get traction. A key finding in Alpha is that organizational actors begin to recognize that the organic logic, and its implied conception of risk culture as an object, creates problems for their ability to intervene in the business end of the organization. For example, the Risk Manager had to respond to the criticism that nothing (visible) on risk culture was being done. However, by reaching out to others with a stake in the culture debate, organizational actors also learn about specific tools that could help deal with such criticisms within a resource-constrained environment. In this way, within Alpha, risk culture became more closely associated with the deployment of a survey-based tool for the diagnosis of culture.
This turn towards diagnostic cultural tools in Alpha reflects a more generalized dynamic, namely that 'practices are not merely determined reflections of institutional logics; they are also tangible focal points for shifts or alterations in institutional logics' (Thornton et al., 2012, p. 129). The survey is not proceduralist per se. In line with an organic logic, it could in principle be used as a conversation enabler, as was the case initially with the risk framework in Alpha. However, the possibility of its use sets in motion the conditions for increased proceduralism. To make it credibly operational, it requires the definition of key aspects of a risk culture model that can be aligned with existing models and regulatory expectations. In so doing, organizational actors can represent the survey as a valuable support for benchmarking and target setting.
We use the term selective mobilization to emphasize this shift from a rather open-ended process of reaching out towards the selection of key reference points for comparison and targeting, and for the foregrounding and prioritization of specific audiences (see the idea of 'reorienting the normative network' by Smets et al., 2012). By the term 'mobilization' we also seek to emphasize the shift from the tentative, and rather open-ended, activities of a single actor to the collective work of a group of actors who are mindful of the opportunities and constraints posed by institutionalized demands for auditable evidence of 'good' risk culture (Power, 1997).
In our model, selective mobilization replaces earlier pragmatic reaching out efforts and provides a way to address the complexity of means through simplification processes (Kostova et al., 2008), exemplified in Alpha by the dominance of a specific reading of risk culture in terms of remuneration and incentives. More generally we can say that the initially uncertain 'risk object' (Hilgartner, 1992), symptomatic of reckless risk-taking, was increasingly framed in language which emphasized the possibility of behavioural change and performance improvement. In this way, risk culture in Alpha, which was initially associated with a shift towards a logic of precaution, became transformed, reduced and appropriated within a specific workstream that revalidated a logic of opportunity and risk-taking. The dynamic model which we have derived from the case of Alpha suggests that, as organizational actors navigate institutional complexity, ends and means coevolve over time as they are reconstructed through workstreams animated by different of logics.

Supporting Insights from the Risk Culture (Battle)Field
Drawing on our broad data set, we can tentatively triangulate the process model induced from the case study of Alpha with workstreams at other institutions, including regulators, professional associations and consulting firms. By the end of our study, there was no shortage of normative practitioner texts embodying what we call an engineered logic. For example, the FSB 2014 guidance provides a 'framework for assessing risk culture' that indicates elements and indicators of a 'sound' risk culture. Practitioner articles also provide an abundance of diagnostic tools in the form of wheels, scorecards and frameworks (Davidson et al., 2012;Deloitte, 2015;EY, 2015;IRM, 2012;Levy et al., 2010;PWC, 2012). In line with the process model developed above, these diagnostic tools frame risk culture as an opportunity for performance improvement and emphasize the possibility of behavioural change via new management tools.
However, our interactions with advisers and regulators between 2012 and 2015 also showed how the development of such an outcome went through a process similar to the one illustrated in Figure 2. This was particularly evident from our prolonged engagement with a group of advisers from a global consulting and auditing firm. As with Alpha, the beginnings of their workstream on risk culture was characterised by the problematization of existing risk management frameworks and scepticism about financial incentives as an ultimate explanation of individuals' behaviour. These views were expressed during our meetings but also surfaced in their thought leadership papers and exploratory surveys on specific problem areas (some of which were cited by Alpha's Risk Manager). Nevertheless, as recognized by one adviser [5] , all this activity only led to 'rambling' conversations and they felt pressurized to find something 'tangible' to 'propagate a good risk culture'. Like Alpha, a diagnostic survey provided the basis for the shift from risk culture as a 'great talking point' to something amenable to measurement and management (see Willman, 2014, Ch. 9). As part of this shift, the workstream came to be occupied by remuneration experts with a focus on individual incentives.
The early uncertainty in the internal workstreams of advisers, who are normally regarded as key suppliers of new management ideas (Sahlin-Andersson and Engwall, 2002), reinforces the view that the risk culture field was initially characterized by the lack of a clear centre of production and a high degree of opacity (Wijen, 2014). Regulators, advisers and corporate actors were searching for ways to reframe the balance between risk-taking and control via risk culture, but in so doing they encountered, and experimented with, a number of diverging activities and ideas. So not only the Risk Manager in Alpha, but also other actors in financial services were tentatively trying to construct networks of likeminded participants. Even the production of the FSB guidance relied on the 'collective experience and efforts of supervisory and regulatory authorities across the FSB membership and insights garnered from market participants through roundtables and bilateral discussions' (FSB, 2013, cover page).
All of these networking initiatives faced a similar problem of producing something tangible that would sustain further interaction and work efforts. The key challenge was how to get from culture as a 'soft' thing, shaping and being shaped by 'contact time', to risk culture as an advisable and manageable object. In line with our process model, in both consulting firms and corporate institutions, risk culture workstreams gravitated towards an engineered logic.
While the case of Alpha is indicative of a cooperative transition, there was more conflict in other settings. Some initiatives which reflected an organic logic were associated with specific individuals and groups whose internal authority was far from uncontested. By problematizing existing practices, they also sought to expand their organizational footprint. For example, in the UK subsidiary of another insurance conglomerate, a team of risk managers organized focus groups with the involvement of senior management to discuss staff responses to a short questionnaire. The CEO claimed that one of the sessions was 'thought-provoking, and that's the important thing'. The head of the team organizing the session subsequently commented, with satisfaction, on the level of senior management involvement. In an internationally active bank, a new oversight body was created to mediate the business front-line and the board, stimulating attention to risk culture via scenario analysis and case-based discussions. This new body co-existed with a more traditional Risk Function. The risk oversight body had the authority to do 'deep dives' on any part of the business, including commercial units, while the traditional Risk Function did not have this possibility.
Yet, both these 'creative' initiatives became contested. In less than two years, between 2012 and 2014, other groups of functional experts, including members of the Risk Function, leveraged different means of intervention in risk culture. The oversight structure in the bank was problematized given the difficulty of explaining its anomalous position, which cut across different lines of responsibility, to regulators. Eventually, the main focus of intervention became a branch-level incentives-based approach led by the traditional side of the Risk Function. The survey-based discussions in the insurer also lost traction. A challenging internal audit report emphasized the lack of clearly articulated targets for risk culture. Following an organizational restructure, a new team designed a different set of interventions, with the ambition to develop metrics and targets for risk culture improvement, as part of what a risk manager defined as the 'refreshed culture piece'.
In both cases, the new means of intervention reflected both a turn towards an engineered approach to risk culture production and also the aspiration by members of the Risk Function to promote and rebuild a logic of opportunity and risk-taking. The risk manager leading the new initiatives in the insurer stated that their role was to help the business to recognize where risks should be taken. The head of risk management in the bank emphasized that the new metric-driven initiative had a real impact 'at the coalface of the boys and girls that sit on the counter in a branch', helping them to know their customers better and to realize profits while 'doing the right thing'.
These additional insights support the view that risk culture workstreams are a patchwork of activities that occur at dispersed sites where discrete, but not entirely autonomous, clusters of actors work to develop ideas and practice. The use of an organic logic is not only a way to make sense of mixed activities in an opaque field, but also a way to improve the organizational footprint of groups of functional experts whose authority is far from being consolidated. An organic logic implies the theorization of new control and communication processes that challenge existing routines and hierarchical relationships. But these new processes are 'creative' solutions, whose characteristics or outcomes are hard to explain or demonstrate -as in the case of the risk oversight body and the focus groups briefly discussed above. As noted by Strang and Meyer (1993), there is an inevitable tension between individual theorising and legitimated collective theorization. While local theories often gain traction by running counter to common sense, theories that are line with standard thinking are more reproducible.
An engineered logic of means holds wider organizational appeal in terms of generating workstreams which produce demonstrable, reproducible and comparable results. It also produces relatively simple and non-controversial explanations for financial sector failures. Towards the end of our field work, we sensed the apparent domination of risk culture narratives by problems of performance management and remuneration design in Alpha and other settings, reinforced by a societal level 'moral panic' about bankers' pay in the UK (House of Commons Treasury Committee, 2009). This focus excluded more psychologically and anthropologically compelling explanations of behaviour based on peer group recognition, perceived local status and social networks. Finally, as emphasized in our process model, the turn to a less expansive engineered logic produces a means of organizational intervention that seems to be correlated with a return of the 'pendulum' to a logic of opportunity in framing the fundamental ends of financial institutions. This additional evidence from our immersion in the field suggests that the model of risk culture dynamics derived from Alpha is not simply an idiosyncratic description of that case, but potentially has more general properties. Despite the fact that initial triggers for risk culture workstreams at the organization level are critical reactions to procedural approaches to risk management and initially motivate a gravitation towards an organic logic of means, we observe a return to proceduralism and to an engineered logic. Our model also suggests that those who are able to pragmatically deploy both logics of means, as they navigate institutional complexity and muddle through the challenges posed by their internal workstreams, are likely to maintain or even extend their organizational footprint -as in the case of the Risk Manager in Alpha. Those organizational actors who rely mainly on idiosyncratic approaches may benefit from increased visibility in the immediate aftermath of a crisis. But they are also likely to be challenged thereafter, since an organic logic amplifies local complexity.
In contrast, the turn to an engineered logic helps to de-complexify the complexity of both ends and means by producing accessible and reproducible means of intervention which contribute to redefine the balance between risk-taking and control. And they redefine it in a way that helps to obfuscate the uncomfortable fact that, as put by one individual developing a risk culture audit methodology in a large bank, in many areas it may be impossible to make money if financial institutions want to do things 'in the right way' [6] .

DISCUSSION AND CONCLUSIONS
In this paper, we have argued that, following the financial crisis and the growing emphasis on the need to fix their defective risk cultures, financial sector institutions confronted institutional complexity due to a societal and regulatory shift in criteria to define and evaluate what they should aim for, as well as uncertainty about what constituted an appropriate means through which this complexity of ends could be addressed. We have shown that a dynamic constellation of logics of ends and means is embodied in evolving workstreams, which are both oriented to, and productive of, risk culture as an organizational object of intervention.
The paper is based on our 'journey' as researchers into multiple settings where risk culture was debated and instrumentalized. Our analysis of risk culture raises as many questions as it seeks to answer, both about risk culture specifically and about the 'production' of new managerial objects in the face of institutional complexity more generally. More work could be done to delineate the network character of risk culture production, drawing explicitly both on conventional network analysis (Padgett and Powell, 2012) as well as on Actor-Network-Theory (Latour, 2005). Moreover, the emergent nature of risk culture may suggest that we observed the messy, initial phase in the lifecycle of a new concept. The beginnings of what seems today more measurable and manageable (e.g., safety culture in aviation) may have been equally messy. While our analysis suggests that risk culture may not mature in the same way, further studies would be helpful to complement the insights developed in this paper.
Bearing in mind these limitations, the case of risk culture in the UK should be of general interest to organization and management scholars studying both responses to institutional complexity and also the emergence of new practices that have an opaque relationship to outcomes. Our core claim is that organizational actors do not only experience the complexity deriving from societal pressures to create 'better' risk cultures and to rebalance two logics of risk-taking which exist in tension with one another. Rather, we find that this complexity and the tension it represents, becomes translated into another one, reflecting different orientations towards the means through which risk culture might become visible as an object capable of being reformed. At the level of workstreams, organizational actors aimed for, but found it hard to sustain, organic approaches to risk culture and collectively reacted by gravitating to more reductive approaches, which emphasize performance improvement and behavioural change via new measurement techniques.
In this way, our study contributes to research on responses to institutional complexity (Greenwood et al., 2011). While previous work tends to consider 'technical' problems of means as being somehow 'peripheral' and distinct from conflicting pressures at the goals level (see Pache and Santos, 2010, p. 464), our study of risk culture shows that conflict and pressures about means have implications for ends and vice versa. Therefore, pressures about both ends and means are a key feature of the institutional complexity that organizational actors must navigate.
We also extend a growing body of actor-level accounts of responses to institutional complexity (e.g., McPherson and Sauder, 2013;Smets and Jarzabkowski, 2013;Smets et al., 2015;Smets et al., 2012;Voronov et al., 2013), showing how logics of ends and means are reconstructed as organizational actors muddle through the challenges posed by their risk culture workstreams. Our process model sheds light on the dynamics through which organizational actors seek to de-complexify the complexity of both ends and means, thus contributing to calls for work on how organizations can de-intensify institutional complexity's pressures (Greenwood et al., 2011).
Moreover, in line with critical commentaries of the institutional logics approach (Friedland, 2012), this study stresses how logics in action are intertwined with the theorization of objects of intervention and that such theorization work depends on the practices conducted through and with them. A risk culture workstream does not simply implement a pre-given task -be it cross-border law services (Smets et al., 2012), court decisions (McPherson and Sauder, 2013), wine-making (Voronov et al., 2013), reinsurance trading (Smets et al., 2015) -but in fact constructs and operationalizes the object of intervention itself.
The findings reported in this paper are also relevant to recent studies that postulate the emergence and persistence of increased decoupling between means and ends in modern organizations (Bromley and Powell, 2012;Dick, 2015;Wijen, 2014). It is tempting to see the unfolding of risk culture workstreams as a pure form of means-ends decoupling in Bromley and Powell's (2012) sense. For example, pressures for documentable processes around risk culture shape reactions to the institutional complexity of shifting ends, leading to something that has little to do with the aspired cultural change. Indeed, there is a stark contrast between the initial aspirations for risk conversations and the final reductive focus on measures of risk culture.
However, we suggest that the case of risk culture is more one of means-ends co-formation than decoupling. What we describe as problematization in Figure 2 is both a reaction to the danger of 'overexcitement' in business decision-making and excessive risk-taking, and also a criticism of procedural approaches to risk management. The repositioning of risk culture workstreams within an engineered logic is made possible both by a reframing of organizational ends to emphasize opportunity and risk-taking, and also by the parallel difficulty of making organic approaches visible and actionable. In short, logics of ends and means change in relation to each other, and all of this is embodied within the trajectory of risk culture workstreams.
Overall, we suggest that the sets of logics which agents confront and which define 'institutional complexity' may have internal, co-formative relations between each other which deserve further exploration. Our study also reveals a, perhaps unsurprising, cyclical pattern which deserves more analysis. Strong public reactions against excessive risk-taking and criticism of an engineered logic to organizational practices reproduce those very same logics, although under the banner of improved risk culture. Therefore, responses to institutional complexity may be inherently unstable, leading to shocks and endemic reform (Bromley and Powell, 2012). It may be that organizational actors struggle to stabilize that which cannot be stabilized: interdependent logics that reflect different sets of expectations about ends and means and exist in a continuous dialectical relation with one another.
To conclude, we are not in a position to judge whether an engineered logic is a bad outcome: we are not romantics of the organic. Given the highly ambiguous nature of the object itself -risk culture -and the struggles of actors with this ambiguity, there is no standpoint within our study from which to judge whether one operationalization of it is better or worse than any other. An approach to risk culture that embodies an engineered logic of means may become an end in itself and may recreate a mere illusion of control over what can hardly be controlled via procedures (Power, 2007). But equally it may also be used diagnostically as part of a forward-looking process (see, for example, the 'risk exposure calculator' illustrated by Simons, 1999). While making a call on this issue is beyond the scope of our study, it would not be surprising to organization and management scholars if the very managerial processes which provide visible and legitimate evidence of 'better' risk culture, also contain the seeds for further disappointment and calls for further reform. And if institutional complexity is 'real', we should expect it to continually reassert itself despite the simplification strategies of organizational actors.

NOTES
[1] The IIF is a global association of financial institutions, providing research and analysis, networking opportunities and developing proposals that influence the public policy debate.
[2] The FSB is an international body that brings together senior policy makers from key financial centres to monitor the global financial system and to coordinate the development of regulatory, supervisory and other financial sector policies.
[3] In 2013, the responsibilities for financial sector regulation were split between the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) of the Bank of England. The FCA's role includes protecting consumers and promoting competition between providers of financial services.